According to the report by AegisLab Android Market has been hit by another malware incident when a number of SMS sending Trojans have been published by unknown attackers.
The incident was not as serious as the one in March when over 50 apps were affected by the Droid Dream malware, although any attack affecting Android Market should be regarded as very serious.
The latest batch of malicious applications are purported to be developed by a legitimate Android developer Zsone. However, it seems that the legitimate applications from the same developer have a version number different than the malicious versions. When one of the malicious applications is installed on the device an SMS message will be sent to one of the premium rate numbers. The numbers are different depending on the application. The attack targets mobile devices in China since the SMS subscription service numbers used are only available from Chinese mobile network providers.
Sophos has received several applications with the SMS sending functionality, including iCalendar, iMine and iMatch. The malicious versions of the applications I have seen come with the version number 1.1.0.
The most interesting characteristic of the latest set of Trojanized applications is the fact that a special Broadcast receiver is used to inspect all new SMS messages received on the device. If the application receives an SMS message from the number which was previously used to register the phone for services the Broadcast receiver attempts to abort the broadcast using the AbortBroadcast function. This method could prevent other SMS applications from processing the message.

The obvious intention of the code is to hide the fact that the device is receiving messages from subscription based services and make the user unaware that they have been loosing money. The latest Android incident shows that applications installed directly from the Google market could still be affected by malware. In an ideal world, Android apps should not be allowed to be self-signed and only allowed keys certified by trusted authorities. Although this measure would not prevent malicious applications it would help with tracing the originators of rogue apps.
Having two classes of applications, signed by certified keys and self-signed, would allow developers of Android OS to limit the capabilities available to self-signed applications. For example, self-signed apps should not be able to send SMS messages. Perhaps this measure would not be a silver bullet but it would certainly be a welcome sign that Google is taking Android security more seriously.
Sophos products are detecting malicious SMS sending Android applications as Andr/AdSMS.

In this slides i`m presenting a new alternative way to evade antivirus emulator simply by passing an input or an argument . Our objective here is to create a backdoor that evades an antivirus detection .

The hackers who breached the security of Sony's PlayStation network and gained access to sensitive data for 77 million subscribers used Amazon's web services cloud to launch the attack, Bloomberg News reported.

The attackers rented a sever from Amazon's EC2 service and penetrated the popular network from there, the news outlet said, citing an unnamed person with knowledge of the matter. The hackers supplied fake information to Amazon. The account has now been closed.

Bloomberg doesn't say how Amazon's cloud service was used to mount the attack. If the report is correct, it wouldn't be the first time it's been used by hackers.

German security researcher Thomas Roth earlier this year showed how tapping the EC2 service allowed him to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own computing gear. For about $1.68, he used special “Cluster GPU Instances” of the Amazon cloud to carry out brute-force cracks that allowed him to access a WPA-PSK protected network in about 20 minutes.

In both cases, those tapping the Amazon cloud did so as paid customers.

A top Sony executive recently implicated the Anonymous hacker collective in the attack on the PlayStation network but has so far provided no convincing evidence to support that claim. The attack, which penetrated core parts of the gaming network, was used to steal passwords, names, addresses, ages, email addresses and other data associated with 77 million accounts. The network has been closed for the past 23 days and Sony has provided no indication when it will reopen.

Context Information Security have released a module for IIS 7 to block information leakage from HTTP headers. A standard web application penetration test recommends the removal of any version number information. Previously the IIS urlscan tool could be used to block this information, however, for IIS 7 this is no longer possible, therefore Context have released this module to block this information.

HTTP headers are name/value sets of data that are transmitted between the client (web browser) and the web server. HTTP headers are used to transmit key data such as HTTP cookies.Excessive HTTP headers can aid an attacker by either identifying particular technologies used within a web application or presenting specific software version information. Whilst minimising the attack surface by preventing information leakage is not a panacea it is a step towards improving security.With the introduction of new Microsoft frameworks such as ASP.Net and MVC it appears that the number of HTTP headers returned by the IIS web server is increasing. An example of these headers is shown below:

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference:

for Chrome is not-so-subtly hiding the same secret so many other “Chrome Apps” hide. It’s not Chrome-specific — it is, for the most part, a big, shiny favicon for your Chrome new tab page and a URL.
Just type http://chrome.angrybirds.com

into any modern browser and the game should load just fine. Performance in Internet Explorer 9 is particularly good, and audio was both clearer and louder than in other browsers. Firefox 4 and Opera 11.10 worked nicely, too, though there was some intermittent sluggishness on my laptop while playing the HD versions.
There’s something else worth knowing, too. Chances are good that you’ve already played (and possibly beaten) Angry Birds on at least one other platform already. Suppose, then, that you want to play a specific level and just aren’t interested in plodding through all the levels in sequence one more time. Why not just unlock all the levels by pasting a line of JavaScript code into your address bar?
To unlock all levels in Angry Birds Web use:

It only makes sense that a new era in Web-based gaming would lead to a new era in Konami codes, and that’s exactly what you’ve got here. The JavaScript reaches into the HTML5 localStorage used by Angry Birds and fiddles with the bits which tell the game which levels you’ve opened up

Here is a guide to getting ARM Backtrack Running on the Xoom (tested on Wifi Only Version, running 3.1)

After much frustration I have gotten the GUI part of the backtrack 5 arm release working with the Motorola Xoom.

Pre-requisites:
- Rooted Motorola Xoom (this may work with other phones, but it's untested at the moment)
- androidVNC from the Android Market
- Terminal Emulator from the Android Market (which you should already have)
- Backtrack 5 for ARM with Gnome downloaded and setup (check the README file, and follow the instructions.)
Link: Backtrack 5 http://www.backtrack-linux.org/downloads/

. This tutorial will assume you put Backtrack 5 in the folder /sdcard/BT5 like the README says.

Launch the terminal emulator and enter the following commands:

Code:

cd /sdcard/BT5
su
sh bootbt

BackTrack will start up in shell. You will get a red line that says "root@localhost:". To verify if you type:

Code:

ls pentest

It should echo back the folders in pentest, stuff like 'backdoors','database',etc.

At this point enter the following commands:

Code:

export USER=root
vpnpasswd

When you type in 'vpnpasswd' this is to the the password for the tightvncserver. Since I only connect locally I just use 'qwerty' for my password, and then confirm the password. When it asks if you want to create a view only password just type 'n' and hit enter. After you have your password setup for vnc start the server up.

Code:

tightvncserver -geometry 1280x800

When this happens you will get a message confirming that "New 'X' Desktop is localhost:1" and a bunch of other random stuff below it (it isn't important unless there are errors listed). At this point, press the "HOME" button on the Xoom and then open the application "androidVNC". In the "Nickname" box, you can name it whatever you like. In the "password" entry, use your password (mine is 'qwerty'). In the "Address" box you can type in localhost (or leave it blank). ****Change the port from 5900 to 5901. I also recommend setting the color-depth to 24-bit. After that press the "connect" button, and bam! You're rocking Backtrack 5 on your motorola xoom!!

Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs.

I was recently attempting to exploit a LFI vulnerability on a pen test and was having no luck poisoning the web server logs. Previous scans of the target showed that an OpenSSH service was running. I took one last shot at the LFI vulnerability and below was the result. I was shocked to find that auth.log was world readable.

By default, OpenSSH makes an entry (consisting of the user name and other data) to auth.log for every authentication attempt made to the ssh daemon. Knowing this, I did some quick testing and found that I could inject php code into auth.log from the user name field of an ssh client by attempting to authenticate. The command took some time to get working right as bash requires finesse for processing special characters, but after some troubleshooting, I came up with the following:

One issue I encountered is that OpenSSH makes 3 entries containing the user name to auth.log for every authentication attempt. In the following example, only one authentication attempt was made, but, as you can see, it appears in the log 3 times.

The injected command will run 3 times unless php execution is terminated after the 1st command. I did this above with the exit; command. The unfortunate side effect is that you have one chance to get this right. Otherwise, you have to wait until the log cycles before you can make another attempt. Here is what the final product looked like with the addition of a pre-format tag for aesthetics.

In the past hour a new application has begun spreading on Facebook which has found an exploit in the existing sharing system. Whatever you do, don’t click the link described below.

The system is pretty straight forward. It suggests that you click “VERIFY MY ACCOUNT” within a link which ultimately results in the user posting the same message to all their friends’ walls. The message typically resembles the following one:

The source code of the ZeuS Botnet is now available for download. I imagine there are a few organizations who would like to talk to the author(s) of this code.All developers have coding habits, that is they usually have a particular way of writing each coding construct. Different developers have different sets of habits and sometimes individual developers have a way of writing some language construct that is rarely used by other developers. Are developer habits sufficiently unique that they can be used to identify individuals from their code? I don’t have enough data to answer that question. Reading through the C++ source of ZeuS I spotted a few unusual usage patterns (I don’t know enough about common usage patterns in PHP to say much about this source) which readers might like to look for in code they encounter, perhaps putting name to the author of this code.The source is written in C++ (32.5 KLOC of client source) and PHP (7.5KLOC of server source) and is of high quality (the C++ code could do with more comments, say to the level given in the PHP code), many companies could increase the quality of their code by following the coding standard that this author seems to be following. The source is well laid out and there are plenty of meaningful variable names.So what can we tell about the person(s) who wrote this code?

There is one author; based on consistent the usage patterns and nothing jumps out at me as being sufficiently different that it could be written by somebody else,

The author is fluent in English; based on the fact that I did not spot any identifiers spelled using unusual word combinations that often occur when a developer has a poor grasp of English,

The usage that jumped out at me the most is:

for(;; p++)if(*p == '\\' || *p == '/' || *p == 0)
{
...

This is taking to an extreme the idea that if a ‘control header’ has a single statement associated with it, then they both appear on the same line; this usage commonly occurs with if-statements and this for/while-statement usage is very rare (this usage also occurs in the PHP code),

The usage of true/false in conditionals is similar to that of newbie developers, for instance writing:

Vertical alignment is not common and I would have said that alignment was more often seen in definitions than statements, the reverse of what is seen in this code,

Non-terminating loops are created using for(;;) rather than the more commonly seen while(TRUE),

The author is happy to use goto to jump to the end of a function, not a rare habit but lots of developers have been taught that such usage is bad practice (I would say it depends, but that discussion belongs in another post),

Unnecessary casts often appear on negative constants (unnecessary in the sense that the compiler is required to implicitly do the conversion). This could be another instance of a previous Microsoft compiler bug causing a developer to adopt a coding habit to work around the problem.

Could the source have been processed by an code formatter to remove fingerprint information? I think not. There are small inconsistencies in layout here and there that suggest human error, also automatic layout tends to have a ‘template’ look to it that this code does not have.

Most Metasploit modules are intended to be as “safe” as possible; to get access to a system and get information from it, hopefully without causing any serious crashes, all great for a pen test. But if you’re in a CTF or other competition, sometimes you are finished with the system you’re on and just want to trash it. So when I saw jcran

, which includes a wonderful rickroll module, I dug up my system kill script, which starts a disk reformat (wipes the MBR and partition tables with zeros) and shuts down the system. You can download here: kill.rb

At which point, when the system is powered on, you will see a message like “FATAL: No bootable medium found! System halted.” or maybe “No Operating System found.” or some other wonderful message. Enjoy.(of course, on *nix you can just dd if=/dev/zero of=/dev/sda and wait for things to start dying)

that results in remote exploitation on MAC OS. However, we have also discovered the same pattern of vulnerability in Skype two months ago. Due to testing reasons, we were not indulged in the process of reporting it to vendor because we were looking at the malware paradigm related to this vulnerability(whether it can be exploited to download malware in MAC OSX).

Firstly, we are not sure whether the researchers are talking about the same vulnerability. This is because we have seen the news but the vulnerability details are missing everywhere. So our team thought to take a step in this direction. We are presenting the details of the vulnerability that we discovered in Skype running over MAC OS.

Discussion:JavaScript is used extensively in all web related platforms. Skype application on MAC OS uses JavaScript too (most of the chatting client uses that, so not a big deal). This vulnerability does not impact the Skype running over windows and Linux. Skype fails to instantiate between the payloads that are sent as hyperlinks in the chat window. Only the legitimate users in the client list of victim can exploit it. The attacker only requires a definitive payload to exploit this issue. Basically, we call it as a Skype Remote Scripting (Injection).

Working:
In order to trigger this vulnerability, you need to find a vulnerable website that can be used as an agent to send our payload. For example: attacker can use third party vulnerable website to trigger scripting injection in Skype (MAC OS). Generally, certain truth prevails as follows

1. If an attacker sends a remote script payload as [script]alert(document.location);[script];skype filters this injection on chat engine which is quite normal. We have used square brackets (for representation) but for real injections one has to use angle brackets as XSS payloads.

B = [script]alert(document.location);[script]
Skype fails to treat it as one hyperlink as (A+B). As a result, B part executes in the context of Skype(MAC OS) thereby resulting in remote scripting in the skype.

3. Attacker can use DOM injections to write arbitrary content in the chat window. There can be advanced variations of it.

4. We know MAC runs applications with extensions .app, it is possible to download malicious applications through skype. One can also trigger Safari automatically using DOM calls such as "window.open".

5. This vulnerability does not require any user interaction and runs payload directly. One has to be careful because it can execute content in both chat windows if an attacker and victim is using Skype (MAC OS). Attacker can use Skype on Windows and Linux in order to execute this attack.

Some of the POC's are presented in the below mentioned snapshots which supports the execution of this vulnerability.

Injection 1:

Injection 2:

Injection3:

This is really devastating from security point of view. All the versions before 5.1.0.922 are vulnerable. However, we still think the variation of this type of issues are possible and vulnerable versions can be exploited differently. Since it is executing scripts , we can say that this vulnerability can be used in worm infections.

Is this the 0day Skype Bug? Let see what the other researchers release.

May 10, 2011

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of Spidermonkey and Libemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify existent ones.

This article has 7 pages but I just bring 1 page into this post. If you want to see full version of this article, please go to the Source.

WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape. We found that:

1. A number of serious security issues have been identified with the specification and implementations of WebGL.

2. These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.

3. Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.

4. These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).

5. Browsers that enable WebGL by default put their users at risk to these issues.

WebGL

Throughout the history of the Web there has been a drive to allow greater interactivity and expressiveness in web content. Starting with the initial forays into scripting, extensive plugin capability and ActiveX through support for HTML5 functionality such as the video or canvas tags, more and more complexity has been provided in the browser by default.

At each stage in the evolution of the modern browser existing security tenets have had to be re-evaluated to ensure new functionality does not open up any serious attack vectors. As an example, before scripting was introduced there was no easy mechanism for a malicious page to gain access to another site’s content; therefore there would be no need for implementing a same-origin policy. Security decisions made during the early days of the browser may no longer be appropriate to modern advancements, especially ones regarding this cross-domain access of content.

An interesting discussion is underway on the mailing of security freebsd. This is not necessarily new but it is given to the style of the day since the following post .If a user gets the root in a FreeBSD jail and creates an executable SUID, then an unprivileged user can run the binary with root from the host, so to gain elevation of privilege on the host.

This problem has already been discussed in 2009 but no action. The FreeBSD Security Team has chosen to leave this unpatched technique. Indeed, a jail is not a system comparable to a virtual machine isolation and has nothing to do. So this behavior is not offensive and force the fix would require an architecture that could become binding. It was therefore decided to patch this level of documentation indicating that an unprivileged user of the host should not have access to jails. Here is the manual patch.

---Head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011
(R221654)
+++Sun May 8 12:16:39 head/usr.sbin/jail/jail.8 2011
(R221655)
@@@@34.7 -34.7
.\"
.\"$ FreeBSD $
.\"
-.Dd January 17, 2010
+.Dd May 8, 2011
.Dt JAIL 8
.Os
.Sh NAME
@@@@431.7 -431.7 command script Can Be Used: .Bd-literal
D = /here/is/the/jail
cd /usr/src
mkdir -p $D
mkdir -p -m 0700 $D
make world DESTDIR = $D
make distribution DESTDIR = $D
mount-t devfs devfs $D/dev
@@@@ -448.6 448.10 In The per-jail devfs.
A simple devfs ruleset for jails est disponible have ruleset # 4 in . Pa/etc/defaults/devfs.rules.
.Pp
+ Non-superuser In The host system "should not Be Able to Access the
+ Jail's files; With OTHERWISE year attacker root access to The Jail
+ Obtain elevated privileges "could be The Host.
+. Pp
Many cells in this example could Would far more Than In The jail needed.
The Other Extreme box in a jail Might Contain only one file:
The Executive to Be In The run jail.

The recommendation is to have its jails 3 levels below / and do a chmod 700 on the jails (on 2 level). Basically you have to have its jails as /usr /jails/nomdunejail and do a chmod 700 /usr/jails.

A vulnerability for Ruby on Rails was recently patched [http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails].

Why the Patch Was Necessary

The default CSRF prevention built into RAILS has two components: (1) a custom HTTP Header, and (2) a CSRF token in the post body. The default was designed so that only one, rather than both, of the components was required in a request. Modern browser security typically makes this a fairly secure method, because JavaScript cannot create custom HTTP Headers and then have them sent across domains. However, a researcher from Google found a way to exploit this issue by using “certain combinations of browser plugins and HTTP redirects.” Because of this discovery, the new patch for Ruby on Rails now requires both components to be in the request, preventing exploitation.

How the Vulnerability Bypassed the Default CSRF Security

A hidden flash file on a website automatically sent the following request:

Flash allowed the site where the file was running to specify POST data and additional headers. But before sending the request, Flash checked the site’s crossdomain.xml file. Attackers then set up their cross domain.xml files as follows:

http://www.attacker.com/crossdomain.xml

<?xml version=”1.0″ encoding=”UTF-8″?>

<cross-domain-policy>

<allow-access-from domain=”*”/>

<allow-http-request-headers-from domain=”*” headers=”*”/>

</cross-domain-policy>

Based on this, the Flash file understood that it then had permission to send additional header information with its request, and proceeded to send the request with extra headers to

The attacker site returned a 307 redirect. The 307 is like a 302 redirect, but also allows the forwarding of POST data. The Flash application, realizing that the data was going to another Web server, attempted to retrieve the crossdomain.xml file for www.victim.com. Unfortunately, it appears that in certain circumstances, Flash will IGNORE the crossdomain.xml file for victim.com, and rely instead on the original crossdomain.xml file at www.attacker.com. After a confirmation message that would confuse most users, the Flash application sent a new request:

POST / HTTP/1.1

Host: www.victim.com

…

X-Header: test=data;

Cookie: abc=123

Content-Length: 9

post=body

We see here that the POST request was sent to www.victim.com, along with the additional headers and the POST body. This clearly illustrates that Web server frameworks can no longer rely solely on the implied security of additional HTTP Request Headers to prevent CSRF.

For more than two weeks, the PlayStation Network has been offline. PlayStation 3 and PSP owners have been unable to connect to the Internet, play games online or download new titles. Sony's working on a fix, user data has been compromised, and everyone has something to say on the matter.

However, it's important to understand how we got here. Below is the timeline of the PSN outage. This chronicles what led to this problem and what has happened since it occurred.